Despite taking more than two months to detect, the attack on JP Morgan Chase was enabled via a flaw in a corporate challenge website.
Using credentials from the Holden Security August report, data pointed to a big problem at the website for the JPMorgan Chase Corporate Challenge, and the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website were among those 1.2 billion credentials.
According to New York Times, the online platform is used for a series of annual charitable races that JPMorgan sponsors in major cities and it is run by an outside vendor. The database also included the certificate for the website of the Corporate Challenge site’s vendor, Simmco Data Systems, indicating a serious breach that allowed hackers to pose as the race website operator and intercept traffic, such as race participants’ login credentials.
This certificate was first compromised in April, suggesting that the hackers could have begun their attack on the bank at least four months before the bank noticed any unusual activity within its own network.
Following intervention from Hold Security, Simmco Data soon found evidence that hackers using suspicious IP addresses had probed and infiltrated the server that ran the Corporate Challenge website.
The corporate challenge website was taken down on August 7th, two days after the report was released. Further examination of traffic on its own network discovered the malicious activity, with the bank learning that JPMorgan’s systems had been breached by the same hackers who broke into the Corporate Challenge website.
The attackers were able to access 90 of the bank’s servers, though the bank maintains that the damage to customers was limited.
The bank declined to comment on how the breach was carried out, saying that the attackers were only successful in accessing a select set of information. “The overwhelming majority of doors and windows they tried to open remained securely locked,” said Patricia Wexler, a JPMorgan spokeswoman.
Brian Honan, CEO of BH Consulting, told IT Security Guru that while he felt that the NY Times report was interesting, it did not go into enough further detail as to how the events website led to the compromise of other systems.
He said: “Was it reuse of passwords from the event site to other systems? Did the criminals download malware as part of their man in the middle attack? Or did they use the event website as a jump off point into the rest of the JP Morgan systems?
“If it was a case of users reusing passwords, then this activity can be relatively difficult to detect as all logins and actions will look like normal user behaviour. The security systems would need to be configured to detect unusual user behaviour (such as accessing systems not in their job role and/or logging in from strange IP addresses).
“Whether or not it was the re-use of passwords or another avenue of attack, it was interesting to note from the article that the bank had already noted unusual behaviour on the network and were in the process of investigating that when the breach was discovered.”
Asked about the spend of $240 million, Honan said that while on paper it is a lot of money, he said that we would need to see it in the context of overall budgets to determine if that spending is in line with the size of JP Morgan’s operations.